Positive Technologies hacker week has ended in Moscow.
Moscow Hacking Week, organized by Positive Technologies, has come to an end in Moscow. From November 18 to 26 E hosted four major events in the information security industry: an updated cyber battle Standoff 12, a conference and workshops for beginners in the field of cybersecurity Standoff 101, a closed Standoff Hacks for real pros, and a new round of the Standoff Talks meetup. Hacker Week was visited by more than 2 thousand people. In addition, 84,000 viewers watched the event and participated in competitions and contests online.
Standoff 101: scheme of the brain of a security guard from Tinkoff and where to learn from a white hacker
Hacker Week was opened by the two-day event Standoff 101: it was designed for students and novice specialists who want to develop in the field of information security. 17 experts told about their formation in the profession.
According to Dmitry Gadar, Vice President and Director of the Information Security Department at Tinkoff Bank, the skills of an information security specialist should not be limited to cybersecurity.
"You should have a good understanding of how the company works and why it needs you. Information security is only one of the skills, and, for example, soft skills are no less important —" Dmitry explained. — You should clearly know what purpose the business is pursuing. The fact is that it is impossible to protect the infrastructure 100%. You need to be able to identify critical assets and invalid events. This is a complex job and a constant dialogue with the business, sometimes in different languages. It is extremely important to establish this interaction."
A modern threat researcher should be able to formulate hypotheses, test them and connect them into causal relationships, says Denis Makrushin, Technical Director of MTS RED.
"The first superpower is the habit of generating hypotheses. It doesn't matter if you are an information security specialist or a developer: if you ask yourself the question "What if?“ then you are already a researcher. A security guard also needs to be able to write code to automate the routine. The third sign of a researcher is the ability to look for causal relationships," says Denis Makrushin.
It is better for students to take internships in state-owned companies, as well as devote more time and effort to additional training. This advice was given by Lev Nikolaev, Head of the Information Security Department of the Rosatom Technical Academy.
"The university is not the only place where you can get the necessary skills. Forget about the "I'll stop learning, then I'll work" scheme. You need to learn constantly. It is also important to develop not only in the field of information security, but also in the field of IT technologies. There is no cybersecurity without IT. An information security administrator is a superversion of an IT administrator," said Lev Nikolaev.
In turn, Yulia Danchina, director of the Center for the Development of educational technologies at Positive Technologies, compared information security specialists with medical professionals.
"Falling in love with information security is quite simple: all areas of cybersecurity are interesting and in demand. In addition, an information security specialist is almost like a doctor who does everything to ensure that the industries of our economy are healthy," said Danchina.
On Wednesday, November 22, in the broadcast control room, specialists continued to share stories of their development in the field of information security.
The main thing for a cybersecurity specialist is to have a permanent practice (for example, participate in CTF competitions and bug bounty programs) and continuously study, including analyzing other people's reports. Vyacheslav Vasin, Deputy Head of the Competence Center for Security Analysis at Kaspersky Lab, is sure of this.: "Bug bounty platforms often have open reports. You can download them and try to understand how the bug hunter thought, so that you can then apply these techniques in your work," he said.
Self-study is not suitable for all ethical hackers, says Olga Karelova, Associate Professor of the Department of Cryptology and Cybersecurity at MEPhI. "There must be either a strong motivation, or a minimum sufficient amount of knowledge. In the same videos on YouTube, not everything is explained correctly and in detail, which leads to the appearance of fans who copy other people's lines of code. They consider themselves hackers, but they are not hackers, Olga explained. After graduation, she continued her postgraduate studies, and also worked as a "redtimer" and researcher, headed the security analysis department, and received an Offensive Security Certified Professional (OSCP) certificate. The best way to start the path of a white hacker, according to Olga, is CTF competitions.
Philip Nikiforov, a senior specialist in the mobile application security research group at Positive Technologies, read articles about hacking at the age of 13, developed skills by participating in CTF, and then in bug bounty programs. In his second year of college, Philip began to receive fairly large rewards for finding vulnerabilities and fully focused on his career as a bug hunter. The expert noted that in modern technology companies, as a rule, they do not require a diploma, the main thing is practical knowledge. Olga Karelova does not agree with this position. According to her, in some companies, higher education is required for career growth, and not necessarily specialized.
Rewards on Russian bug bounty platforms are comparable to payments on leading international platforms
Within the framework of Moscow Hacking Week, a new round of Standoff Talks meetup was held on November 24 and 25, where pros and enthusiasts from the information security sector could exchange views on industry problems and challenges.
Anatoly Ivanov, Product Manager for Standoff 365, summed up the results of the work of the platform for finding vulnerabilities — Standoff 365 Bug Bounty, launched in May 2022. The maximum payments are already comparable to similar rewards on global platforms and reach 3 million rubles. The largest number of programs were placed by companies from the IT sector (38%), government agencies (17%) and educational platforms (11%). 7537 researchers registered on the site, including Rambler&Co, VK, Gosuslugi, Odnoklassniki, and Tinkoff.
It is also worth noting the report "Malware Development: Cryptography" by information security researcher Zhasulan Zhusupov, who studied ways to bypass antivirus programs. After several experiments, the speaker found out that classic cryptographic solutions (for example, A5 / 1, DES, Madryga, RC5, Skipjack, TEA, Grasshopper) are still effective for encrypting payloads. They can also be used by attackers to encrypt communication with the control server. In the future, Zhasulan plans to evaluate the effectiveness of the algorithms used on the cryptographic virus.
Vladimir Razov, a specialist in the Web application security analysis group at Positive Technologies, gave a report entitled "Breaking firmware to get CVE vulnerabilities", which was devoted to finding security flaws in the firmware of embedded network devices. For example, when investigating a buffer overflow vulnerability in the D-Link DAP-1325 wireless repeater, the researcher found that only the Taiwanese D-Link website has a suitable firmware version for analysis. To identify the flaw, the speaker started the web server, created the interface that the system is trying to find, used the debugger, solved problems with NVRAM and other tasks. After demonstrating scenarios for finding vulnerabilities in several D-Link devices, Vladimir showed how to launch the main components that have access to the network, and also told how to debug a binary file and write an exploit for it.
"There were a lot of interesting performances at Standoff Talks. For those who plan to watch them on the record, I advise you to pay attention to offensive security: redtimers and bug hunters demonstrated cool research, shared their experience, and showed modern techniques for circumventing security tools in practice. This time, all reports were selected by well-known experts from the community. This is one of our main tasks-to develop the community and make decisions based on the opinion of its participants, " said Yaroslav Babin, Product Director of Standoff 365.
Cyberbattle Standoff came to space, andPositiveTechnologies offered 5 million rubles for the introduction of third-party code in one of its products
The space of the Cyberdome allowed visitors to create Standoff 12 the effect of maximum immersion in the atmosphere of cyberbitva through interactive installations and other technological innovations.
In addition to the energy, oil and gas, transport, financial and urban ecosystems, cyberbitve recreated the space industry for the first time: participants had to gain control of the RUVDS space satellite. They also proposed equipment identical to that used when sending commands from Earth to orbit.
"The satellite project is a scientific and educational one, and participation in the cyber battle fits perfectly into our vision. We try to protect our clients infrastructure and data as much as possible, protecting them from DDoS attacks and other undesirable events. And events such as Standoff help you always stay on top and track trends in information security," said Nikita Tsaplin, CEO of RUVDS hosting provider.
On Standoff 12, a lot of targets were added in the transport segment and in the housing and utilities system, and blue teams could not only detect attacks, but also prevent them. This time the defenders faced 15 attacking teams.
In four days in the virtual State, F teams managed to steal money, intercept the satellite signal, and provoke other unacceptable events. Red teams were able to conduct 211 successful attacks (49 of which were unique) and detect 296 vulnerabilities.
Codeby Pentest participants became five-time Standoff winners and retained the Champions Cup. In second place is the True0xA3 team. Rounding out the top three is the RHTxSH13LD team. The tournament table is presented on the Standoff website.
These four days were no less busy for the defenders: they discovered 401 incidents and investigated 65 attacks. The Your_shell_not_pass team was able to prevent 16 incidents in the transport company Heavy Logistics, and also investigated 20 successful attacks. Most of the reports on investigated attacks were submitted by the Command_and_Defend — 22 team. They defended the oil and gas industry. The City_FlGuard team, which protected the most affected industry in the cyber battle — banking-investigated six successful attacks. The Busy Beavers team has eight investigations, CyberNoobs — seven, and the Rosreestr team — two.
Along with Standoff, researchers were able to test the security of different companies as part of the Standoff Hacks private event. This priv8 event (the word priv8 in Internet slang is sometimes called private correspondence) for top bug hunters ended on the last day of Moscow Hacking Week, and its results will be published later in the Standoff 365 telegram channel.
In addition, Positive Technologies recreated part of its real infrastructure with software development, assembly, and delivery processes at the test site and offered those who wanted to implement an invalid event. The winner could receive 5 million rubles. This experiment is one of the stages of the global assessment of the concept of effective cybersecurity of Positive Technologies on its own infrastructure, which began in 2022: then the company called on independent researchers to implement an unacceptable event — to transfer money from its accounts. The criterion for implementing the event on Standoff 12 was the presence of an arbitrary string constant in the code of the assembled software product, which is not present in the standard build. However, during the four days of cyber attacks, the attackers failed to do so.
Presentations of experts and participants of the competition can be viewed on the Moscow Hacking Week website or on the cyberbitva YouTube channel.
Moscow Hacking Week was co-organized by Innostage, an IT company that develops and integrates digital security services and solutions. Gazinformservis, an integrator and security vendor, became the general partner of Hacker Week. Standoff's technology partners are RUVDS and eKassir.
Next year, on May 23-26, there will be an equally expected event in the industry — the open cybersecurity festival Positive Hack Days.
Moscow Hacking Week, organized by Positive Technologies, has come to an end in Moscow. From November 18 to 26 E hosted four major events in the information security industry: an updated cyber battle Standoff 12, a conference and workshops for beginners in the field of cybersecurity Standoff 101, a closed Standoff Hacks for real pros, and a new round of the Standoff Talks meetup. Hacker Week was visited by more than 2 thousand people. In addition, 84,000 viewers watched the event and participated in competitions and contests online.
Standoff 101: scheme of the brain of a security guard from Tinkoff and where to learn from a white hacker
Hacker Week was opened by the two-day event Standoff 101: it was designed for students and novice specialists who want to develop in the field of information security. 17 experts told about their formation in the profession.
According to Dmitry Gadar, Vice President and Director of the Information Security Department at Tinkoff Bank, the skills of an information security specialist should not be limited to cybersecurity.
"You should have a good understanding of how the company works and why it needs you. Information security is only one of the skills, and, for example, soft skills are no less important —" Dmitry explained. — You should clearly know what purpose the business is pursuing. The fact is that it is impossible to protect the infrastructure 100%. You need to be able to identify critical assets and invalid events. This is a complex job and a constant dialogue with the business, sometimes in different languages. It is extremely important to establish this interaction."
A modern threat researcher should be able to formulate hypotheses, test them and connect them into causal relationships, says Denis Makrushin, Technical Director of MTS RED.
"The first superpower is the habit of generating hypotheses. It doesn't matter if you are an information security specialist or a developer: if you ask yourself the question "What if?“ then you are already a researcher. A security guard also needs to be able to write code to automate the routine. The third sign of a researcher is the ability to look for causal relationships," says Denis Makrushin.
It is better for students to take internships in state-owned companies, as well as devote more time and effort to additional training. This advice was given by Lev Nikolaev, Head of the Information Security Department of the Rosatom Technical Academy.
"The university is not the only place where you can get the necessary skills. Forget about the "I'll stop learning, then I'll work" scheme. You need to learn constantly. It is also important to develop not only in the field of information security, but also in the field of IT technologies. There is no cybersecurity without IT. An information security administrator is a superversion of an IT administrator," said Lev Nikolaev.
In turn, Yulia Danchina, director of the Center for the Development of educational technologies at Positive Technologies, compared information security specialists with medical professionals.
"Falling in love with information security is quite simple: all areas of cybersecurity are interesting and in demand. In addition, an information security specialist is almost like a doctor who does everything to ensure that the industries of our economy are healthy," said Danchina.
On Wednesday, November 22, in the broadcast control room, specialists continued to share stories of their development in the field of information security.
The main thing for a cybersecurity specialist is to have a permanent practice (for example, participate in CTF competitions and bug bounty programs) and continuously study, including analyzing other people's reports. Vyacheslav Vasin, Deputy Head of the Competence Center for Security Analysis at Kaspersky Lab, is sure of this.: "Bug bounty platforms often have open reports. You can download them and try to understand how the bug hunter thought, so that you can then apply these techniques in your work," he said.
Self-study is not suitable for all ethical hackers, says Olga Karelova, Associate Professor of the Department of Cryptology and Cybersecurity at MEPhI. "There must be either a strong motivation, or a minimum sufficient amount of knowledge. In the same videos on YouTube, not everything is explained correctly and in detail, which leads to the appearance of fans who copy other people's lines of code. They consider themselves hackers, but they are not hackers, Olga explained. After graduation, she continued her postgraduate studies, and also worked as a "redtimer" and researcher, headed the security analysis department, and received an Offensive Security Certified Professional (OSCP) certificate. The best way to start the path of a white hacker, according to Olga, is CTF competitions.
Philip Nikiforov, a senior specialist in the mobile application security research group at Positive Technologies, read articles about hacking at the age of 13, developed skills by participating in CTF, and then in bug bounty programs. In his second year of college, Philip began to receive fairly large rewards for finding vulnerabilities and fully focused on his career as a bug hunter. The expert noted that in modern technology companies, as a rule, they do not require a diploma, the main thing is practical knowledge. Olga Karelova does not agree with this position. According to her, in some companies, higher education is required for career growth, and not necessarily specialized.
Rewards on Russian bug bounty platforms are comparable to payments on leading international platforms
Within the framework of Moscow Hacking Week, a new round of Standoff Talks meetup was held on November 24 and 25, where pros and enthusiasts from the information security sector could exchange views on industry problems and challenges.
Anatoly Ivanov, Product Manager for Standoff 365, summed up the results of the work of the platform for finding vulnerabilities — Standoff 365 Bug Bounty, launched in May 2022. The maximum payments are already comparable to similar rewards on global platforms and reach 3 million rubles. The largest number of programs were placed by companies from the IT sector (38%), government agencies (17%) and educational platforms (11%). 7537 researchers registered on the site, including Rambler&Co, VK, Gosuslugi, Odnoklassniki, and Tinkoff.
It is also worth noting the report "Malware Development: Cryptography" by information security researcher Zhasulan Zhusupov, who studied ways to bypass antivirus programs. After several experiments, the speaker found out that classic cryptographic solutions (for example, A5 / 1, DES, Madryga, RC5, Skipjack, TEA, Grasshopper) are still effective for encrypting payloads. They can also be used by attackers to encrypt communication with the control server. In the future, Zhasulan plans to evaluate the effectiveness of the algorithms used on the cryptographic virus.
Vladimir Razov, a specialist in the Web application security analysis group at Positive Technologies, gave a report entitled "Breaking firmware to get CVE vulnerabilities", which was devoted to finding security flaws in the firmware of embedded network devices. For example, when investigating a buffer overflow vulnerability in the D-Link DAP-1325 wireless repeater, the researcher found that only the Taiwanese D-Link website has a suitable firmware version for analysis. To identify the flaw, the speaker started the web server, created the interface that the system is trying to find, used the debugger, solved problems with NVRAM and other tasks. After demonstrating scenarios for finding vulnerabilities in several D-Link devices, Vladimir showed how to launch the main components that have access to the network, and also told how to debug a binary file and write an exploit for it.
"There were a lot of interesting performances at Standoff Talks. For those who plan to watch them on the record, I advise you to pay attention to offensive security: redtimers and bug hunters demonstrated cool research, shared their experience, and showed modern techniques for circumventing security tools in practice. This time, all reports were selected by well-known experts from the community. This is one of our main tasks-to develop the community and make decisions based on the opinion of its participants, " said Yaroslav Babin, Product Director of Standoff 365.
Cyberbattle Standoff came to space, andPositiveTechnologies offered 5 million rubles for the introduction of third-party code in one of its products
The space of the Cyberdome allowed visitors to create Standoff 12 the effect of maximum immersion in the atmosphere of cyberbitva through interactive installations and other technological innovations.
In addition to the energy, oil and gas, transport, financial and urban ecosystems, cyberbitve recreated the space industry for the first time: participants had to gain control of the RUVDS space satellite. They also proposed equipment identical to that used when sending commands from Earth to orbit.
"The satellite project is a scientific and educational one, and participation in the cyber battle fits perfectly into our vision. We try to protect our clients infrastructure and data as much as possible, protecting them from DDoS attacks and other undesirable events. And events such as Standoff help you always stay on top and track trends in information security," said Nikita Tsaplin, CEO of RUVDS hosting provider.
On Standoff 12, a lot of targets were added in the transport segment and in the housing and utilities system, and blue teams could not only detect attacks, but also prevent them. This time the defenders faced 15 attacking teams.
In four days in the virtual State, F teams managed to steal money, intercept the satellite signal, and provoke other unacceptable events. Red teams were able to conduct 211 successful attacks (49 of which were unique) and detect 296 vulnerabilities.
Codeby Pentest participants became five-time Standoff winners and retained the Champions Cup. In second place is the True0xA3 team. Rounding out the top three is the RHTxSH13LD team. The tournament table is presented on the Standoff website.
These four days were no less busy for the defenders: they discovered 401 incidents and investigated 65 attacks. The Your_shell_not_pass team was able to prevent 16 incidents in the transport company Heavy Logistics, and also investigated 20 successful attacks. Most of the reports on investigated attacks were submitted by the Command_and_Defend — 22 team. They defended the oil and gas industry. The City_FlGuard team, which protected the most affected industry in the cyber battle — banking-investigated six successful attacks. The Busy Beavers team has eight investigations, CyberNoobs — seven, and the Rosreestr team — two.
Along with Standoff, researchers were able to test the security of different companies as part of the Standoff Hacks private event. This priv8 event (the word priv8 in Internet slang is sometimes called private correspondence) for top bug hunters ended on the last day of Moscow Hacking Week, and its results will be published later in the Standoff 365 telegram channel.
In addition, Positive Technologies recreated part of its real infrastructure with software development, assembly, and delivery processes at the test site and offered those who wanted to implement an invalid event. The winner could receive 5 million rubles. This experiment is one of the stages of the global assessment of the concept of effective cybersecurity of Positive Technologies on its own infrastructure, which began in 2022: then the company called on independent researchers to implement an unacceptable event — to transfer money from its accounts. The criterion for implementing the event on Standoff 12 was the presence of an arbitrary string constant in the code of the assembled software product, which is not present in the standard build. However, during the four days of cyber attacks, the attackers failed to do so.
Presentations of experts and participants of the competition can be viewed on the Moscow Hacking Week website or on the cyberbitva YouTube channel.
Moscow Hacking Week was co-organized by Innostage, an IT company that develops and integrates digital security services and solutions. Gazinformservis, an integrator and security vendor, became the general partner of Hacker Week. Standoff's technology partners are RUVDS and eKassir.
Next year, on May 23-26, there will be an equally expected event in the industry — the open cybersecurity festival Positive Hack Days.
